Twitter paid researchers $322,420 to squash bugs over past two years

In an attempt to make the micro-blogging platform Twitter free of vulnerabilities, the company has awarded monetary rewards to 1,662 researchers under the Bug Bounty Program.

The Bug Bounty Program started out in May 2014 as the company wanted to engage with the developer community and give them a change to disclose security vulnerabilities on the platform. Twitter in a report reveals that it has received over 5,100 submissions and has paid out $322,420 to researchers since past two years. The bounty program running on HackerOne has been invaluable to the social network’s security.

The report details that the rewards are handed out in multiples of $140. So the minimum amount that ever been paid out to a researcher is $140, while the most Twitter has ever spent on a single bug is however $12,040. One of the researchers has been able to snag a sum total of $54,000 for reporting vulnerabilities on the platform in 2015. Google also runs a similar program that pays researchers to discover and report bugs on each of its services, and has recently paid $17,500 for Chrome bug identification.

Arkadiy Tetelman, a software engineer at Twitter states that,

Since launching the program we’ve seen impressive growth in both the number of vulnerabilities reported and our payout amounts, reflecting our rising payout minimums and also the growing community of ethical hackers participating in the program.

The micro-blogging platform still has a minimum of $15,000 to offer to anyone who is able to discover vulnerabilities that leave the platform open to remote code execution. Twitter also added that it only makes the fixed bugs public and that too with the permission of the researcher who reported the vulnerability. Thus, only 20 per cent of the resolved bugs have been disclosed to the public. A couple important bugs that have been fixed via developer submissions include: protection against cross site scripting attacks inside the Crashlytics Android app, HTTP response splitting with header overflow and credit card deletion attack from hackers.

If you’re interested in knowing about the discovered vulnerabilities in detail, you can head over and read the complete report right here.